IOS Firewall Intrusion Detection
The IOS Firewall Intrusion Detection System (IDS) feature extends the features of intrusion detection to Cisco routers and provides a cost−effective method for extending security services across network boundaries. Intrusion detection systems provide a level of protection beyond the firewall by protecting the network from internal and external attacks and threats caused by routers forwarding traffic from one network to another network. By leveraging the features of intrusion detection, the router can act as an inline probe examining packets and flows to match against current IDS signatures, thus providing the same features that a dedicated probe or sensor device
can provide without adding additional hardware onto the network. Intrusion detection should be deployed within all parts of the network with the exception of the core layer elements in the network design; it should especially be deployed within the perimeter of the enterprise network and distribution layer of the network or in locations where a router is being deployed and additional security between different network segments is required.
Typically, intrusion detection consists of three components:
-Sensor—A network device—in this case, a router with the IDS Firewall feature set loaded—that uses a rules−based engine to interpret large volumes of IP network traffic into meaningful security events. The Sensor can also log security data and close TCP sessions. The Sensor reports the events to an IDS Director or a syslog server.
-Director—A device that provides centralized management and reporting for security issues. Sensors are managed through a graphical user interface, and the Director can provide a multitude of other services outside of centralized reporting.
- Post Office—A protocol that provides the backbone by which all IDS devices communicate among one another.
The IOS Firewall IDS uses realtime monitoring of network packets to detect intrusions or malicious network activity through the use of attack signatures. The IOS Firewall IDS searches for patterns of misuse by examining either the data portion or the header portion of network packets. Currently, the IOS Firewall IDS identifies 59 attack signatures.
A signature detects patterns of misuse in network traffic. In the Cisco IOS Firewall IDS, signatures are categorized into four types:
Info Atomic—Info signatures detect information−gathering activity, such as a port probe. These attacks can be classified as either atomic or compound signatures.
Info Compound—Attack signatures detect attacks attempted with the protected network as the intended target. These attacks can be classified as either atomic or compound signatures.
Attack Atomic—Can detect simple patterns of misuse.
Attack Compound—Can detect complex patterns of misuse.
When the IOS Firewall IDS detects suspicious network traffic, and before the traffic causes a breech in the security policy of the network, the IDS responds and logs all activity to a syslog server or to an IDS Director using the Post Office Protocol (POP).
Security administrators have the ability with the IOS Firewall IDS software to configure the method of response to packets that match one of the attack signatures just mentioned. The IOS Firewall IDS software can be configured to use four different methods to respond to an attack when it matches a signature:
-Generate alarms—Alarms are generated by the Sensor and sent to one or more Directors. The Director displays the alarm and logs the event.
-Generate logs—Event logs can be sent to separate syslog server in order analyze the event. Reset TCP connections—The Sensor will reset individual TCP connection requests during and after an attack to minimize the threat yet will allow all other valid requests to continue.
-Shun the attack—Upon matching a signature the Sensor can be configured to deny request attempts to a host or subnet by dropping the packets. Shunning should be carefully thought out before being deployed in the production network.
If there are multiple signature matches in a session, only the first match triggers an action from the IOS Firewall IDS. Other matches in other modules trigger additional alarms, but only one per session. This process is different than on the dedicated IDS Sensor device, which identifies all signature matches for each packet. The IOS Firewall IDS capabilities provide additional security visibility at the enterprise network perimeters. Security administrators enjoy more robust protection against attacks on the network and can automatically respond to threats from internal or external hosts.
The only significant disadvantage to using the features of the IOS Firewall IDS is that the overall performance of the router will be slightly degraded and end−to−end propagation delay will be added.